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(54) A uniform mechanism for using signed content 



(57) A scheme for downloading signed content onto 
a machine by a delivery mechanism (such as floppy dis- 
kettes and the Internet) is described. While there are no 
restrictions on the nature of the contents, the signature 
on the content describes the security credentials of the 
creator, the resource requirements, and licensing infor- 
mation (such as the time period of its validity). Once the 
content has been downloaded, it can be used on the cli- 
ent machine in various ways. It can be installed on the 
client machine and there after users can execute it. Any 
use of the content of the 



content requires access to computing resources on the 
client machine. This access is mediated by means of a 
security manager that uses the information in the con- 
tent's signature to manufacture capabilities that grant 
and regulate access to different subsets of the comput- 
ing resources. In this sense, our scheme unifies work 
done in the previously disparate fields of network secu- 
rity and operating systems and results In data structures 
and algorithms that combine and manipulate elements 
of both. 
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Description 

The present invention relates to a uniform mecha- 
nism for using signed content in particular in computer 
security mechanisms for safely executing software 
which has been ol)tained over a network or by other 
means from an untrusted source. 

In order to increase the utility of networked comput- 
ers, methods have been sought to allow them to exe- 
cute programs obtained from servers. The primary 
advantage of such a system from the user's view point 
is that it decreases the amount of software that must be 
stored on the user computer. From the software devel- 
opers viewpoint, the system has a number of advan- 
tages, the main one being that the application provider 
has greater control over the distribution of the programs. 
The use of embedded Java applets (i.e. programs) in 
World Wide Web documents is a popular example of 
such a system. 

A significant concern wnth this approach, is that the 
software which obtained from the sender may be mall- 
clous and damage the user's computer or steal data. 
The downloaded software must therefore be executed 
in a controlled environment in which they are given only 
the system resources that they need and no more. The 
main problem with the current Java applet security 
mechanism is that it is not flexible enough. All Java 
applets are considered hostile and are not allowed to 
access most resources on the user machine's operating 
system. 

There are variety of standard techniques for public 
cryptography and authentication. RSA is an example of 
a widely used public key cryptography algorithm. Exam- 
ples, of implementations include RSAref and PGP. 

Mechanisms also exist to create digital signatures 
for messages. These link persons with the contents of 
messages. They can also be used to create digital sig- 
natures for messages such that the creator of the mes- 
sage can not disavow the message. The MD5 algorithm 
in conjunction with RSA is an example of a signature 
system. 

A number of computer operating system use capa- 
bilities to control access to system resources. A capabil- 
ity is a permission held by a process to perform some 
action on another object. Notable operating systems 
that use capabilities for enforcing security are AnfK)eba 
and Mach. 

In accordance with a first aspect of the present 
invention, a secure content usage system and method 
for use in a computing system is provided. The system 
includes a content importation mechanism; an extractor, 
operatively connected to receive signed content 
imported by way of the importation mechanism, for 
extracting portions of a signature from the signed con- 
tent, the portions including a security aedentiais asso- 
ciated with the content; resource requirements for using 
the content; an analysis module for verifying authentic- 
ity and integrity of the signed content using at least the 
security credentials supplied by the extractor and taking 



2 

remedial actions when any of the authenticity and the 
integrity are In doubt; and, an enforcement module for 
ensuring that use of the signed content conforms to the 
resource requirements and security credentieds. 

5 In accordance with a second aspect of the present 
Invention, there is provided a computer readable mem- 
ory having signed content instantiated thereon. The 
signed content includes a computer readable signature 
and computer readable content, the computer readable 

10 signature including a plurality of fields conprising a 
security credentials field including cryptographic identi- 
fies of at least an originator and intermediaries involved 
in a chain of distribution of the computer readable con- 
tent and a resource requirements field identifying com- 

15 putlng resources required for using the computer 
readable content. 

In accordance with a third aspect of the present 
Invention, a content usage system and method for 
enfordng licensing terms in a computing system is pro- 

20 vided. The system includes a content importation mech- 
anism; an extractor, operatively connected to receive 
signed content imported by way of the importation 
mechanism, for extracting portions of a signature from 
the signed content, the portions including a computer 

25 readable licensing terms associated with the content; 
and. an enforcement module for controlling operation of 
the computing system so as to ensure that use of the 
signed content conforms to the licensing terms. 

30 Rgure 1 is an abstract view of a content delivery 
mechanism according to the principles of the 
present inventon; 

Rgure 2 shows sources and Intermediaries in a 
content delivery system; 
35 Rgure 3 shows how the manufacturer/author and 
intermediaries add their signatures to the content 
being delivered in accordance with an embodiment 
of the present invention; 

Rgure 4 shows the modules involved in processing 
40 the signed content in the user machine according to 

an embodiment of the present invention; 

Rgure 5 shows the Access Infomnation table used 

by the Enforcer module of Figure 4; 

Rgure 6 depicts the relationship between the capa- 
46 bilities of the various entities in the secure content 

usage system of Rgure 4; 

Rgure 7 shows the relationship between the privi- 
leges given to different users for the signed content 

in the system of Rgure 4; 
so Rgure 8 shows an embocfiment of the present 

invention when the signed content is a Java applet; 

Rgure 9 shows the actions taken by secure content 

usage system of Rgure 4 upon receipt of signed 

content: and. 

55 Rgure 10. shows the method by which security is 
enforced by the Enforcement module of Rgure 4. 
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Detailed Description of the Preferred Embodiment 

The embodiments of this invention will now be 
described in detail with reference to the drawings. 

Figure 1 gives an abstract description of the Inven- 6 
tion. A user 1. uses a client machine 4 and uses a con- 
tent delivery mechanism 5 to transfer signed content 6 
to his/her machine. Examples of delivery mechanisms 
include floppy diskettes. CD-ROMS and the Internet. 
Examples of executable content include Java applets, io 
OLE components and SOM components. The content 
has a signature. Other types of content could include 
text, audio and video. The signature Includes four fields. 
The first field 7 is a list of the security credentials of the 
software. This is described in further detail in Figure 3. is 
Examples of security aedentials include the identities 
of the author and the manufacturer. The credentials 
guarantee that the content was created and distributed 
by the principals whose credentials occur on the list. In 
addition, they provide a means to check that the content 20 
has not been altered after it was signed. Further, they 
provide a means of ensuring that the author cannot dis- 
avow the content that he/she has created. The second 
field 8 describes the computing resources 3 that the 
content needs on the client machine. These resources 25 
are needed for the content to achieve its purpose on the 
client machine. Examples of purpose include installing 
and executing the signed content. Examples of comput- 
ing resources include disk space, file space, file access, 
RAM, CPU, networking capabilities and the user dis- 30 
play. 

Once the signed content is downloaded to the 
user's machine, the user can use the content in various 
ways. Examples of use of the content include installing 
it, viewing it and executing it. The content is used In a 35 
carefully controlled environment 2 on the client 
machine. This use of the signed content may require 
access to computing resources on the client machine. 
The resources required for using the signed content 8 
are part of the signature of the content. Access to such 40 
resources is mediated by means of a secure content 
usage system 2. 

The third field (this is optional) provides licensing 
information 9. Examples of licensing information include 
terms and conditions for use such as the number of 45 
machines and the time period for which the content can 
be used. The fourth field (this is optional) is the registra- 
tion information 10. This information is used to automat- 
ically register the content with the provider. 

Figure 2 depicts an example of the content delivery so 
mechanism. The content originates on a manufacturer's 
or an author's machine 15. 16, 17 and makes its way via 
a number of intermediary nr^chines 12, 13, 14 before 
being downloaded to the client machine 11. 

Figure 3 depicts the accumulation of credentials in ss 
the signed content as it is distributed from the manufac- 
turer's nrrachine 22 1 the user's machine 20. The man- 
ufacturer adds its security credentials to the signed 
content 25 before sending it by some means 27 to an 



intermediary 21. The intermediary, in turn, adds its 
security credentials to the signed content 24, before 
sending it to the next intermediary in the distribution 
chain. In this manner, when tiie signed content finally 
anives at the user, it contains a list of the security cre- 
dentials of all the intermediaries and the manufacturer 
23. 

Rgure 4 depicts the downloading of signed content 
from a content provider 32 and subsequent processing 
in a secure content usage system 31, The secure con- 
tent usage system 31 can be embodied as part of a 
general purpose computing system (not shown), such 
as an IBM PC personal computer, an IBM RS/6000 
workstation or any other workstation suitable for use as 
a client system. The signed content is downloaded by a 
content importation system 33. An extractor 34 parses 
tiie fields of the signature and passes tiiis infomiation to 
the analyzer module 35. The analyzer verifies tiie integ- 
rity of tiie content. It then examines the list of security 
credentials to determine the level of access and trust 
tiiat tiie content should be used with on the machine. 
Next, it looks at the resource requirements of tiie con- 
tent and determines, possibly with user input, if these 
requirements can be met This information is then 
passed to tiie content interpreter 36 and the enforce- 
ment module 37. 

The content importation mechanism 33 can be 
embodied, for example, as a network interface (e.g. 
which can couple a user to the Internet), a diskette sub- 
system, a CD ROM subsystem or a cartridge memory 
subsystem. The extractor 34. tiie analysis module 35, 
the content interpreter 36 and the enforcement module 
37 can be embodied as program code executable by the 
workstation on which the secure content will be exe- 
cuted. The enforcement module is preferably coupled to 
the workstation's operating system (such as OS/2. 
UNIX or Windows NT). The content interpreter 36 can 
be embodied as a module within the operating system 
or it can be distinct from the operating system (such as 
a Java interpreter). 

The flow chart corresponding to the operation of tiie 
system of Rgure 4 is shown in Rgure 9. The content 
interpreter is the mechanism to use the content Exam- 
ples of the content interpreter include internet browsers 
and the Java virtual machine. The enforcement module 
uses tiie level of trust determined by tiie analyzer to cre- 
ate entries in an access information table. This table is 
described in Figure 5. 

Use of signed content typically requires access to 
operating system resources. Rgure 5 depicts a table 40 
ttiat the enforcement module uses to keep track of the 
resources that have been requested and consumed by 
signed contents that are being used on its machine. The 
enforcement module uses tiie security credentials 41 on 
tiie signed content to determine the limit on tiie 
resources 42 that tiie signed content should be given on 
tiie client machine. This determination can be done In a 
variety of ways including prec nfiguration by means of 
tables and requesting explicit user input t determine 
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the access that the content should get. Effectively, the 
enforcement module manufactures a capability for the 
signed content that reflects "who gets how much access 
of what". Typically, the resources that a signed content 
gets are a subset of the resources that the user has 5 
acc^s to on the client machine. The security manager 
keeps track of the resources that have been consumed 
43 by the content. This is achieved by ensuring that all 
accesses to the system resources by the signed content 
pass through the security manager. The table also con- w 
tains an entry for the resources that have been 
requested 43 by the signed content. If at any time, the 
resources consumed 43 exceed either the resource 
limit 42 or the resources requested 44, the security 
manager can take remedial action. Examples of reme- 15 
dial action Include terminating the use of the signed 
content and asking the user for guidance on how to pro- 
ceed. 

Figure 6 depicts the relationship between the capa- 
bilities of the various entities. The user's privileges 51 20 
are a subset of the privileges of the operating system 
50. The signed content is executed in an environment 
whose privileges 52 are a subset of tiie user's privi- 
leges. In turn, the privileges of the signed content 53 are 
a subset of its execution environment. The use of the 25 
signed content may cause the use of other content on 
the client machine. For instance, executing a Java 
applet may cause anotiier executable to be instantiated 
into a process on tiie client machine. The privileges of 
such spawned content 54 are a suksset of the privileges 30 
accorded to the signed content. Note tiiat incorporating 
the resource requirements In the signature of a signed 
content provides the security manager with an effective 
mechanism for implementing these restrictions. The 
spawned content can be allowed to execute as long as 35 
tiie resources it consumes are a subset of tiie resource 
limits placed on tiie signed content. All tiiis information 
can be tracked in tiie security manager table shown in 
Rgure 5. 

Once the signed content is downloaded onto the 40 
user's machine, the user gets a capability to use the 
content. This capability is associated witii tiie user who 
Initiated the transfer. The user can permit other users to 
use the signed content on his/her machine. Figure 7 
shows the relationship between the privileges of other 45 
users such as 61 . 62 and 63 and the privileges of the 
installing user 27. For instance, if the signed content 
was a Lotus document, tiien a user's privileges would 
reflect whether he could read, write or change the doc- 
ument, so 

Figure 8 shows an embodiment where tiie signed 
content is a signed Java applet 80. The list of security 
credentials 79 on the applet are those of its author, the 
manufacturer and the retailer. The applet resides on a 
sen/er machine 77 and is managed by a server process ss 
78. Note tiiat tiie server machine and server process 
are merely a distribution mechanism and they need not 
have any relation with the autiior. Th content delivery 
mechanism is the Internet 76. 
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A client agent 72 acting on behalf of a user 71 and 
r siding n a client machin 70 downloads the applet by 
contacting the server process. The client agent sends 
its security credentials, such as tiie identity of tiie user 
(such as its public key or certificate) and the identity of 
the client machine (such its IP address) to the server 
process. This Information is used by the server process 
to autiienticate the users and keep b'ack of the usage of 
tiie applet. In response, the server process sends the 
signed applet, tiie identity of tiie server nnachlne and tiie 
server process' public key (or certificate) back to the cli- 
ent. The server must encrypt its response with ttie pub- 
lic key of tiie user to ensure that tiie applet is securely 
conveyed to the client machine. 

The client agent verifies tiie integrity of the content 
and the associated signature. Once tills is done, the cli- 
ent agent determines tiie security credentials and tiie 
resource requirements of the signed content. It decrypts 
the server's response using its private key and exb'acts 
the security information in the response, that is, the 
identities of the creator (such as public key or certifi- 
cate), tiie server process (such as public key or certifi- 
cate) and tiie identity of tiie server machine (such as IP 
address). This Information along witii the name of tiie 
applet, tiie resource requirements stated in the signa- 
ture and the identities of the user and the client machine 
are passed to tiie security enforcer 74. The security cre- 
dentials of tiie signed applet are stored as a capability 
which consists of a triple consisting of the name of tiie 
signed content, the security credentials and the stated 
resource requirements are given to the security man- 
ager. 

The security enforcer is akin to tiie security man- 
ager in the Java runtime environment. It is a trusted sys- 
tem service that cannot be changed. It uses security 
credentials of the signed content to compute tiie capa- 
bilities with which tiie applet can be executed on the cli- 
ent machine. When the signed content is set in 
execution, all calls to system resources are mediated 
tiirough the security manager. The security manager 
uses the capability associated with tiie applet to deter- 
mine if the resources requested by the applet should be 
granted (Figure 10). The manager can be used to pro- 
gram a range of security policies to determine the type 
of access that the signed applet has to the system 
resources. This can range from simple policies such as 
no access, complete access, access configured in 
advance by the user and access can be explicitiy 
granted by promoting tiie user by means of dialog 
boxes. 

The user who downloads the applet determines 
who else is allowed to access it For each i^er a special 
capability is manufactured. When the content is it does 
so with a subset of the access rights of the invoker. At 
any time the security manager may revoke capabilities 
giv n to users of th applet. 

Now that tiie invention has been described by way 
of the preferred embodiment, various modifications and 
improvements will occur to those of skill in tiie art. Thus, 
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it shoidd be understocxl tfiat the preferred embcxjtment 
has been pr vided as an example and not as a limita- 
tion. The scope of the invention is defined by the 
appended claims. 

In summary there is described a scheme for down- 
loading signed content onto a machine by a delivery 
mechanism (such as floppy diskettes and the Intemet) 
is described. While there are no restrictions on the 
nature of the contents, the signature on the content 
describes the security credentials of the aeator, the 
resource requirements, and licensing information (such 
as the time period of its validity). Once the content has 
been downloaded, it can be used on the client machine 
in various ways. It can be installed on the client machine 
and there after users can execute it Any use of the con- 
tent of the content requires access to computing 
resources on the client machine. This access is medi- 
ated by means of a security manager that uses the 
information In the content's signature to manufacture 
capabilities that grant and regulate access to different 
subsets of the computing resources. In tiiis sense, our 
scheme unifies work done In the previously disparate 
fields of network security and operating systems and 
results in data structures and algorithms that combine 
and manipulate elements of both. 

Claims 

1. A secure content usage system for use in a com- 
puting system, comprising: 

a content importation mechanism; 

an extractor, operatively connected to receive 
signed content imported by way of the importa- 
tion mechanism, lor extracting portions of a sig- 
nature from the signed content, the portions 
including a security credentials associated with 
the content; 

resource requirements for using the content; 

an analysis module for verifying authenticity 
and integrity of the signed content using at 
least the security credentials supplied by the 
extractor and taking remedial actions when any 
of the authenticity and the integrity are in doubt: 
and, an enforcement module for ensuring that 
use of the signed content conforms to the 
resource requirements and security aeden- 
tials. 

2. The system of Claim 1 wherein ttie extractor further 
includes one or both of: 

1) means for extracting registration informati n 
from the signature and further comprising 
means for registering the signed content with a 
provider without further user intervention; and 



ii) means for extracting licensing terms from the 
signatur andwherenth enforcement module 
includes means for interacting with the operat- 
ing system to ensure that the use conforms 

s with the licensing terms. 

3. The system of Claim 1 further including a data 
structure stored in a memory of the computing sys- 
tem, the data structure including a table of corre- 

10 spondence between users, the security credentials 
and features of the signed content wherein the 
enforcement mechanisms is connected to read the 
table of correspondence from the data structure 
and Includes means for enforcing use of the signed 

IS content by the users in accordance with the con^e- 
spondence. 

4. The system of Claim 1 wherein the enforcement 
module includes means for tracking processes 

20 spawned from the signed content and for ensuring 
operation of the processes conform to the resource 
requirements and security credentials. 

5. The system of Claim 1 wherein the importation 
25 mechanism is one of: 

I) a communication channel coupled to a com- 
munication network; 

30 ii) rotating storage; or 

iii) a removable memory card. 

6. The system of any of Claims 1 to 5 further including 
35 a data structure stored in a memory of the comput- 
ing system, the data structure including a table of 
correspondence between the signed content, the 
resource requirements, actual resources con- 
sumed by the signed content and any resource lim- 

40 its imposed on the signed content by the computing 
system. 

7. The system of Qaim 6 wherein the table further 
includes usage restrictions imposed on the signed 

45 content by the licensing terms. 

8. A computer readable memory having signed con- 
tent instatiated thereon, the signed content Includ- 
ing a computer readable signature and computer 

50 readable content the computer readable signature 
including a plurality of fieMs comprising a security 
credentials field including ayptographic identifies of 
at least an originator and intermediaries involved in 
a chain of distribution of the computer readable 

55 content and a resource requirements field identify- 
ing computing resources required for using the 
computer readable content. 

9. A content usage system for use in a computing sys- 
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tern, comprising: 

a content importation mechanism; 

an extractor, cperatively connected to receive 
signed content imported by way of the importa- 
tion mechanism, for extracting portions of a sig- 
nature from the signed content, the portions 
including a computer readable licensing terms 
associated with the content; and 

an enforcement module for controlling opera- 
tion of the computing system so as to ensure 
tiiat use of the signed content conforms to the 
licensing terms. 

1 0. A method for ensuring secure usage of signed con- 
tent in a computing system, comprising: 

importing the signed content into the comput- 
ing system; 

extracting portions of a signature from the 
signed content, the portions including a secu- 
rity credentials associated with the content; 

resource requirements for using tiie content; 

verifying authenticity and integrity of the signed 
content using at least the security credentials 
and taking remedial actions when any of the 
autiienticity and the integrity are in doubt; and 

controlling an operating system of the comput- 
ing system so as ensure tiiat use of the signed 
content does not exceed the resource require- 
ments and security credentials. 

11. The method Claim 10 comprising one or both fur- 
ther steps of: 

extracting registration information from the sig- 
nature and registering the signed content with 
a provider by way of a communication channel 
without further user intervention; and 

extracting licensing terms from the signature 
and controlling the operating system to ensure 
that the use of the signed content conforms 
with tiie licensing terms. 

12. The method of Claim 10 or 11 conrprising tiie fur- 
ther steps of forming a data structure in a memory 
of the computing system, the data structure includ- 
ing a table of correspondence between users, the 
security credentials and featur s of the signed con- 
tent, and enforcing use of the signed content by the 
users in accordance with the correspondence. 



13. The method of Claim 10, 11 or 12 comprising the 
furtiier steps of tracking pr cesses spawned from 
the signed content and constraining operation of 
the processes so as to conform to tiie resource 

5 requirements and security credentials. 

14. The method of any of Claims 10 to 13 wherein tiie 
signed content includes at least one of an applica- 
tion program and a document. 

10 

15. A metiiod of controlling content usage in a comput- 
ing system, comprising the steps of: 

importing contents into the computing system, 
15 the contents including conputer readable 

licensing terms; 

extracting tiie computer readable licensing 
terms from tiie imported contents; and 

20 

controlling operation of the conrputing system 
so as to ensure tiiat use of tiie signed content 
conforms to the licensing terms. 

25 16. The method of Claim 15 comprising the further 
steps of extracting registration information from the 
signature and automatically registering the signed 
content with a provider by way of a communication 
channel without furtiier user intervention. 

30 



40 



45 
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FIG, 2 
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FIG, 6 



PRIVILEGES OF SECURE SPAWNED CONTENT 




FIG. 7 



FUNCTIONALITY OF THE SIGNED CONTENT 
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FIG. 9 
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FIG. iO 
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